My Blog

I decided to finally get with it and create my own Blog. I don't know how often I'll be blogging, as I stay fairly busy, but I'll try to post here every so often. Since most of the work I do relates to Microsoft Exchange, probably much of what I blog about will relate to that, but I'm sure that there will be occasional (or frequent) blogs about my family.

About Me

I grew up near Ann Arbor, Michigan and went to college at BYU (Brigham Young University). In 1992, I took 2 years off from school to serve a full-time mission for my Church (the Church of Jesus Christ of Latter-day Saints) in Frankfurt, Germany. I've been married for 11 years and have 4 beautiful children. I have been working with Exchange since 1999.

Hacking your Windows Mobile 5.0 Registry
Sounds like a great start to a post, huh? OK, here's the deal. I've blogged a few times about my Jasjar (yes, I still love it and use it almost every day).

Devin Ganger at 3Sharp blogged about the inability to add Root SSL certificates on some WM 5.0 devices, which is true. What isn't mentioned much of anywhere (you have to look around pretty hard) is that you actually can still disable Certificate Checking - you just can't use the old DisableCertChk tool from Windows Mobile 2003. Microsoft doesn't recommend this, but it's a necessary evil in some situations. Two that I can think of are:

1. Your company uses a Wildcard SSL Certificate. (i.e. *.company.com). Windows Mobile 5.0 (or any other version for that matter) does NOT support wildcard certs. Why, I'm not sure, but it doesn't.2. You have a manufacturer locked device that prevents you from adding additional Root Certificates. Again, WHY a manufacturer would prevent folks from adding additional root certificates is beyond me, but it happens.

So, on to the registry hacking.First, you download my new favorite freeware Windows Mobile Registry editor, PHM registry editor, which I blogged about earlier. The ONLY catch with this program is that it may not install correctly on newer devices. What I ended up having to do was install the program on my desktop (which just extracts a bunch of cab files), then go to the install directory, grab the cab files and copy them to my device. The one that ended up working for me was the cab file named regedit_Mrln_ARM.cab. Simply click on the file from your windows mobile device, and it will install it. Once it is installed, you can delete all the cab files from the device.

Surprisingly (or not), the registry on Windows Mobile devices is very familiar if you have ever looked at the registry on a regular PC. Anyways, to disable Cert Checking, you navigate to the following location:

Hkey_Current_User\Software\Microsoft\ActiveSync\Partners

Here you should notice 2 sub-keys, both with a unique UID. One is set up for the ActiveSync Partnership with your PC, the other is set up for the partnership with your Exchange server. Fortunately, it is fairly easy to distinguish between the two. Simply highlight one of them, and look at the different values. You'll see pretty quickly which one is for your Exchange server. While the partner key for your Exchange server is highlighted, create a new value with the following parameters

Type: DWORDName: secureValue: 0

That's all there is to it. You have now successfully disabled certificate checking on your device and can now have ActiveSync use SSL with wildcard certs and self-signed certs.
- posted by Ben Winzenz @ 1:24 PM

You actually aren't disabling security. What you are doing is disabling Certificate checking. That means that you can still require SSL on your Exchange server for ActiveSync (our server requires SSL), and you can still set up your device to use SSL (mine is set this way). You simply don't check to make sure that the certificate is *valid*. If this disabled SSL period, then I would no longer be able to sync with my server. Hackers cannot intercept messages with this change because you can still use SSL.

The whole point of this registry entry was to enable WM devices to support wildcard certificates (for one) that are becoming increasingly common. I don't believe that replacing a wildcard certificate with a regular one is a valid option. The point of wildcard certificates is so that you can use the same certificate with multiple web servers.

I'm afraid you are. If you disable certificate checking, you are vulnerable to a "man-in-the-middle" attack. Sure, your connection is encrypted through SSL, but the server has not been authenticated so this man-in-the-middle can decrypt everything.

I am puzzled why Microsoft is not supporting wildcard certificates in Windows Mobile. Could be a technical reason, could be a financial reason (a monetary deal with the 5 standard CAs in Windows Mobile).

I'll agree that you are "in part" disabling some of the security mechanisms, and Microsoft doesn't recommend this, but they leave little choice. It is also nothing new and Microsoft even provided a native tool with Windows Mobile 2003 to disable certificate checking. If a MITM attack truly is possible in this scenario (I'm still not sure that it is), the risk is still very small in my opinion.

I too am a bit puzzled why wildcard certs aren't supported, but perhaps that support will be added in the future (hopefully).

Please check what actually got installed - I doubt the program actually installed on your PPC - if it did install, you should find it in the programs group (Start, Programs). The PHM registry editor program seems to have an issue with the actual installation. For me, ALL it did was extract the .cab files onto the hard drive of my laptop. I had to manually copy the cab files to my PPC and click on each one to figure out which cab file worked for my device.

Thank you so much for this tip! This is huge for me because I was getting the certificate error during ActiveSync. Our email system uses a wildcard certificate by Digicert which we purchased to use on the various servers we have. Microsoft needs to support this now, but in the meantime, I'm very happy with the hack you provided. My email admin also seems to think that the risk is relatively low for a hacker to intercept messages.

I have followed these instructions to edit the registry, and all seems to be well; however, when I sync I get prompted for my password. I have verified that I am using the correct pw, but it still prompts for the password again and again. Anyone have any ideas?

What happens if you hook your device up to your computer and run ActiveSync from there? Does it still prompt you for the password? Also, note that if the certificate you are using is not from one of the default certs installed on WM, then you still need to install the cert in addition to creating this registry key...

I imported our certificate into the phone. I am not a whiz at this stuff, so I have a buddy coming up to my office tomorrow to shadow me and make sure I am doing all of these steps correctly. However, I have read some other forums where others were having this same password problem, but never saw any correcting responses. I will double-check the registry and that I imported the correct certificate. You might check back tomorrow and I will let you know if I got it or not.

I am attempting to turn password required on ( changing the 0 to a 1 in my motorola Q registry. It won't let me and keeps giving me a error when I hit done. I suspect the carrier (Telus) in Canada has locked it as a read only area. Any ideas on how I might be able to change it? I need to do this to get at the connection settings username and password for the 1x during login as I am using a different carrier than Telus or Verizon. Thx for the help

Odds are that if you are getting an error when you try and save the changes, the registry is locked down on your device. Sorry I can't be of more help. I'm fortunate to have a completely unlocked device, but since Motorola has an exclusive agreement with Verizon to provide the Q (at least for now), I don't anticipate an unlocked version for a while.

I now have a Verizon Q that is unlocked so I would like to edit the registry area to set up the Data network settings. Do you know the locations for the # 777 number setting along with username and password and the data connection settings as they are also a bit different in Canada on the 1X and evdo setup. I know how to edit the registry but am not familiar with the various locations. A list or link plus any help is much appreciated Thx

On Windows Mobile 5, you don't need the SPAddCert preogram to install the cert. Instead, simply copy the certificate to the device, and then use the File Explorer to go to the location where you copied the cert, and then simply click on the cert. You should be prompted to install the certificate. See if that works...

For John and the last comment - there is literally only one reason that I've come across that you should ever have to disable certificate checking. That is for a wildcard certificate. The reason is that WM5.0 doesn't support wildcart certs. If you are disabling cert checking, and you do not have a wildcard cert, then you have an issue with the type of cert (i.e. it's a self-issued cert), or how it is installed. If you are using a self-issued cert, then you may need to invest in a public cert. They are cheap enough (less than $100) that cost shouldn't be an issue.

Just as a note if you want to have Communicator Mobile use a Wildcard SSL certificate use the same PHM Edit, HKEY_CURRENT_USER\Software\Microsoft\Communicator\System Settings\DisableCRLCheck set this to 1 to disable SSL Certifcate Checking in Communicator Mobile.

Just as a note on my I-Mate JasJam I have to use the regedit.Mrln_ARM.CAB to install the editor.

I had been trying to either add a root cert or disable checking for half a day when I found this:http://blogs.msdn.com/windowsmobile/archive/2006/08/11/sslchainsaver.aspx

All you need to do is download the sslchain program and then run it against your exchange frontend web server. It creates the certificates you need and puts them in a folder. Copy them onto your device and then click on them by using the file explorer and this installs them. I have copied the instructions from the link above that helped me. The last point says to do it in order - im not sure if I did that but it works anyway.

Now if anyone knows a way to disable the proxy permanently (stupid activesync keeps reapplying it because my PC has it but I dont want this pda to use it) please email me at rosege@hotmail.com

4) Type sslchainsaver mail.yourdomain.com

5) All the certificates (root and intermediate) are extracted to a folder under C:\Test\bin\release named mail.yourdomain.com

6) Copy all the certificates to your device

7) Install them one by one on the device by tapping on them in the same order as listed on the actual certificate from File Explorer

Very helpful post.Got me one step further...But I too have to type my password in again and again. And no syncro occurI assume that your hack works without any cert installed on the windows mobile side : that's what I want to achieve.Help would be very much appreciated

The main point of this registry key is so that you can use an unsupported certificate (i.e. wildcard cert). If your Exchange server is set to require SSL for mobile devices, then you will have to install a certificate on your mobile device, either by directly installing it, or by using a cert on the Exchange server that is already trusted by Windows Mobile. This registry key does not address not requiring a cert at all.

Thanks so much for your answer but I am afraid I don't fully understand it.To make it clear : I've been doing OWA SSLed with a mobile device (WM 2003+ActiveSync) on my Exchange server. That server has a self created certificate using internal server name. All that stuff went great thanks to the CERTCHK tool that prevent cert install on the phone/pda : an issued cert that would identify the device I assume.Today I get a brand new device WM 5.0 installed. And I (happily) run across your blog then apply the key hack.But ActiveSync "keeps asking password"

So I ask a few more :Does WM 5.0 use OWA or OMADo I have to install a certificate on the mobile device.If so is it the server's one ?Is there a naming issue : as for now my /server name/domain/cert server name/ trio is not homogeneous at all (but gives satisfaction on WM 2003 devices)

Thanks again in your efforts to make my users proud with their (hopefully soon) fully functionnal brand new PDA/Phone/Expensive little thing !

Hi There - Great pointers, and have read through your blog but did not see anything on my issue. I am running a JasJam as well, on WM5, and have manually moved my exhange issued cer over, and double clicked it, when I get the error message: "Cannot access certificate". Any clues as to what I am doing wrong here? This certificate has been used on an i-mate SP3 with cert checking disabled with problems apparenty.... Thanks.

1. Neither. WM5 accesses the activesync virtual directory, which in turn then accesses the Exchange vdir.2. If you are using a self-signed certificate, then YES, you absolutely need to install the cert on your device, and yes it is the server cert (the one installed on the default web site). Even with the instructions in this blog, you still need to install the cert. As I mentioned before, this post only addresses if you have a wildcard cert (i.e. *.domain.com), which it doesn't sound like you have.You need to export the certificate to a .cer file I believe, then copy that to the device and make sure it gets installed properly. There are some blogs from the Windows Mobile folks at Microsoft that cover other details of how to install certs.

Anonymous - I'm not sure exactly what you are doing wrong, but I would try exporting the certificate again and re-copying it to the device. Unless your device is locked down, you should be able to just copy the cert over and then click on it to install it. If this is a device from Verizon or Sprint, you can try using the spaddcert.exe, which can be found here:http://www.microsoft.com/downloads/results.aspx?pocId=&freetext=spaddcert&DisplayLang=en

Can I use this app to pull MP3 files from my SD card into my ringers selection? The internal memory is not large enough to store as many as I would like in the windows/rings folder, and if I store them in the SD card, I can't access them in the ringer selection screen. I've never used a registry editor before but understand it might be the answer to my problem. Feel free to email me at tnilson@daktronics.com

Again - let me be clear. The Reg hack for disabling certificate checking is NOT for self-signed certs. It is ONLY needed for wildcard certs. That was specifically because wildcard certs weren't supported in WM5 (they are supported in WM6, BTW).

With a self-signed cert, as long as you install the cert on your device, you should have no issues. Export the cert, copy it to your device, then click on it to install it. That should be all you need to do.

Hoping you can help....My corporate exchange server has a self signed certificate however it has expired.my WM5 device (treo 750) will not connect to it saying "The server could not be reached. This can be caused by temporary network conditions."Support code: 0x80072EFD

I cannot even get to Outlook Web Access either, it states the connection was lost.

I have made the assumption it is just due to the expired cert.Any idea how i can get it to ignore the expired certificate?

(I have asked MIS to fix the website and they are getting to it.....will take a long time)

Thanks, Ben and Co. Yours seems to be the only comprehensive info on the web on the problems encountered with phone security, cert checking and so on. I followed your actions and eventually got through the phone blocking and other issues and got cert checking, etc., disabled. Exchange ActiveSync is now working with wildcard certs.

I have to say, I think it's really strange that even with certificate checking disabled, you still need the certificates installed. Funny.

Many thanks everyone.

Re: "What happens if you hook your device up to your computer and run ActiveSync from there? Does it still prompt you for the password? Also, note that if the certificate you are using is not from one of the default certs installed on WM, then you still need to install the cert in addition to creating this registry key...# posted by Ben Winzenz : 12:37 PM, May 23, 2006"

Glad this helped you. As far as the requirement to still install the cert, remember that this registry change doesn't turn off the SSL requirement, it just turns off checking whether the certificate is valid. Since wildcard certs aren't supported in WM5, they can't be checked anyways, hence the requirement for this workaround.

hi, thank you for this information i followed your directions however i still cannot sync. b4 i found you i could not access outlook exchange via sync or via web browser. However now i can access via web browser and still not via sync. If it takes the cert via browser shouldn't it take it via sync? any ideas?